Support Center > Search Results > SecureKnowledge Details
Check Point Capsule Connect - Configuring Per App VPN in iOS without an MDM Technical Level
Solution

Capsule Connect supports the Per App VPN feature presented in iOS 7, allowing the VPN to be configured for selected applications instead of the device-wide, Layer 3 VPN.

In iOS 8, there can be multiple per-app connections active at the same time (as long as they are configured for different apps) along with the classic device-wide, Layer 3 VPN profile. This allows for having a connection to Capsule Cloud gateway in parallel to a connection to the on-premises Security Gateway.

An MDM solution should be used to configure the Per App VPN sites (along with managing the devices and applications).

See the Capsule Connect Administration Guide for more details on MDM deployment of Per App VPN.

Alternatively, if MDM is not incorporated in the organization, Per App VPN sites can be deployed from the Security Gateway.

For basic ad-hoc sites, a special QR can be prepared with the CPQRGen utility, defining the allowed applications (see "QR Code Parameters" section below) but in order to update an existing site already deployed (without removing and deploying a new site) and to centrally enforce the allowed applications, the configuration should be set in the $FWDIR/conf/nemo_client_1.ttm file.

When set, the Capsule Connect client will update and enforce the configuration on every connection to the Security Gateway.

 

Configuring Per App VPN:

Action plan:

  1. The first step should be to configure the Per App VPN settings on the gateway TTM configuration file.
    This is not a mandatory step for ad-hoc sites (created with CPQRGen utility) but it is required in order to enforce and update the client's configuration.

  2. The second step is to create and deploy the Per App VPN site on the client, either through the Security Gateway or the CPQRGen utility.

Follow the instructions below.

To configure Per App VPN on the Security Gateway:

  1. Edit the $FWDIR/conf/nemo_client_1.ttm file.

  2. Set these parameters:

    Parameter Value
    enable_per_app Available values:
    • perapp_and_ip_layer - Default. Allows both types of VPN sites to connect.
    • perapp_only - Allows only per-app VPN sites to connect.
    • false - Disables per-app. Per-app configured sites will not be able to connect.
    per_app_non_encdom_traffic_policy

    Defines what to do with traffic that is not destined to internal resources.

    Available values:
    • block - Default. Drops this traffic.
    • route_all - Sends all traffic through the VPN tunnel, assuming the Security Gateway is already configured to handle Internet traffic.
    • allow_clear - Enables split-tunneling, allowing Internet traffic in clear directly, outside the VPN tunnel.
    per_app_allowed_apps List of applications identified by their Bundle IDs (see QR Parameters section below).

    All TTM attributes are optional (but recommended for enforcement).
    When no Per-App attributes exist in the TTM, client will work with last configured apps (from QR probably) and allow both IP-layer and Per-App connections (and will block non-encryption domain traffic).

    Note: When allow_clear is configured, although the TCP traffic is split, all DNS resolving will still be done through the VPN tunnel, so the internal DNS server should be able to resolve Internet addresses.

  3. Save the file after you change it.

  4. Install the policy on the Security Gateway.

Limitation for manual configuration updates: Updates to the Per App allowed applications list require the Capsule Connect to be open. Without it the old (invalid) apps will be blocked but no new apps can be set. Only when the user opens and connects with the Capsule Connect, new applications can be added.

Here is an example of the $FWDIR/conf/nemo_client_1.ttm file:

(
    :nemo_client_1 (
        :enable_per_app (
            :gateway (
                :map (
                    :false (false)
                    :perapp_only (perapp_only)
                    :perapp_and_ip_layer (perapp_and_ip_layer)
                )
                :default (perapp_and_ip_layer)
            )
        )
        :per_app_non_encdom_traffic_policy (
            :gateway (
                :map (
                    :block (block)
                    :route_all (route_all)
                    :allow_clear (allow_clear)
                )
                :default (block)
            )
        )
        :per_app_allowed_apps (
            :gateway (
                :default (
                    :ios (
                        :app (
                            :bundle_id (com.google.chrome.ios)
                        )
                        :app (
                            :bundle_id (com.2X.2XClient)
                        )
                    )
                )
            )
        )
    )
)

 

Creating Per App VPN sites:

A VPN site must be configured as per-app on creation for it to be used as Per App VPN.

This could be achieved with either a QR created by CPQRGen utility with the isPerApp parameter enabled, or if using R77.30 Security Gateway, by selecting Per App VPN site in the Mobile Access blade's "Add sites and certificates" section.

 

QR Code Parameters for iOS Per App VPN

In addition to the basic VPN parameters outlined in the Capsule Connect Administration Guide, these parameters can be used for creating Per-App VPN sites on iOS devices, where MDM is not used.

When TTM is configured on the Security Gateway, only isPerApp is needed as the other settings will be taken from the TTM upon connecting the client.

The rest of the parameters are needed only for ad-hoc Per App VPN sites.

 

Parameter Description Valid Values Default Value
isPerApp Configure site as a Per-App VPN site.
  • yes
  • no
no
perAppAllowClearTraffic Allow clear (non-encryption domain) traffic for allowed apps, either through the tunnel or directly.
  • block
  • route_all
  • allow_clear
block
perAppBundleIds An array of App Store application Bundle ID. See explanation below.
No value
perAppTrackIds An array of App Store application Track ID. See explanation below. No value

The applications are identified by their Bundle ID which precisely identifies a single app in iOS.

Bundle ID is a string formatted as a reverse-domain in the form of 'com.mycompany.myproductname'. For example, the Google Chrome app has the bundle ID: 'com.google.chrome.ios'

Most MDMs have a built-in utility to seek Store apps and obtain this string. For in-house apps, this string should be obtained from the app developer.

Alternatively, we can set the apps based on their iTunes store ID. This Track ID is the number after 'id' in the app URL on the store.

For example, the iTunes URL for Google Chrome is:

https://itunes.apple.com/us/app/chrome-web-browser-by-google/id535886823?mt=8

The bold section is the Track ID that can be used in our CPQRCodeGenerator.

Internet access is needed when using this option as the tool queries the iTunes store services for this translation.

Note: Per App cannot be set on Apple's native iOS applications.

To download the CPQRGen utility, click here.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.
This solution is about products that are no longer supported and it will not be updated

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment